Land attack involves sending a spoofed TCP SYN packet (connection initiation) with the target host\’s IP address and an open port as both source and destination. The reason a LAND attack works is because it causes the machine to reply to itself continuously.
<strong>What are the countermeasures of the LAND attack?</strong>
Firewall And Router Filtering
Firewalls are already being used to monitor packet traffic, and protect systems from malicious access. As a countermeasure to DOS attacks, firewalls can be configured as a relay, or as a semi-transparent gateway .
• Firewall as a Relay:
In this approach, the firewall responds on behalf of the internal host. A connection to the host is established only after the three-way handshake is successfully completed.
During an attack, the firewall responds to the SYN sent by the attacker; since the ACK never arrives, the firewall terminates the connection with an RST packet, and the host never receives the datagram. For legitimate connections, the firewall creates a new connection to the internal host on behalf of the client, and continues to act as a proxy for translating sequence numbers of packets flowing between the client and server .
Strengths: Host is completely shielded from DOS attacks, and never receives spoofed SYN packets.
Weaknesses: New delays are introduced for legitimate connections.
• Firewall as semi-transparent Gateway:
In this approach, the firewall passes SYN packets to the host. When the host responds with a SYN+ACK packet, the firewall forwards this packet to the client, and sends an ACK (pre acknowledgement) packet to the host. If the firewall does not receive a legitimate ACK from the client after some timeout period, an RST packet is sent to the host to terminate the connection. For legitimate connections, the duplicate ACK arriving at the host is discarded by the TCP protocol, and future packets flow without intervention by the firewall.
Strengths: No delays introduced for legitimate connections.
Weaknesses: Timeout period needs to be carefully selected so access is not denied to legitimate connections with long response times.
• Ingress filtering:
An attacker may forge the source address from which it is launching a DOS attack. The attacker forging its source address will cause the victim to send a SYNACK packet to an erroneous address, preventing the victim from ever receiving the ACK packet it needs to proceed. Network ingress filtering that can prevent attackers from using forged source addresses to launch a DOS attack .
Strengths: Effectively stops attackers within the originating network from forging source addresses that do not conform to ingress filtering rules.
Weaknesses: This technique does nothing to address flooding attacks that originate from valid IP addresses, and may negatively affect mobile IP services .
• Egress filtering:
SANS institute urged network administrators to adopt egress filtering, which prevents one\’s network from being the source of forged communications used in DOS attacks . This ensures that only IP packets with valid source IP addresses leave the network.
Strengths: Useful when deployed close to the end user. Effectively deters attackers from victimizing others with one\’s network resource.
Weaknesses: Egress filtering becomes difficult for Internet Service Providers and almost impossible for major service providers. These service providers frequently need to forward legitimate traffic that is not part of its own address space .
• Disable broadcast amplification:
A network can act as an amplification site to flood other networks with DOS attacks such as the “smurf” or “fraggle” attack. Administrators block the receipt and forwarding of network-prefix-directed broadcast on routers through RFC 2644 .
Strengths: Combined with egress filtering, this technique will prevent participation in a “smurf” or “fraggle” attack.
Weakness: Broadcast amplification is a useful diagnostic tool. Without a broadcast amplifier, the WINS server on the network will not receive the broadcast, causing some name resolution on Windows systems to fail .
<strong>Operating system improvements</strong>
• Request Dropping:
SUN considered request dropping as a control mechanism to handle SYN flooding attacks. This admission control mechanism drops a pending request from a full connection request queue. The algorithm can pick a request at random, select the oldest request, or use a combination of both, to deal with a queue under attack . An analytical model revised for the random drop algorithm, and used a high-fidelity simulation to compare random request dropping with three other cookie-based SYN flooding defense mechanisms.
Strengths: random dropping worked well in both low congestion and high congestion by keeping client performance losses below 10%, even under very high spoofed SYN rates .
Weaknesses: An attacker can occasionally deny a legitimate connection request.